Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl 3.3.1 - TLS 1.3 handshake fails #206

Closed
kilinitt opened this issue Jun 19, 2024 · 2 comments
Closed

openssl 3.3.1 - TLS 1.3 handshake fails #206

kilinitt opened this issue Jun 19, 2024 · 2 comments

Comments

@kilinitt
Copy link

Hello,

crypto-test.sh fails on TLS 1.3 handshake with openssl 3.3.1:

/build/golang-fips/scripts # ./crypto-test.sh --suites tls

##### tls-fips (default)
--- FAIL: TestBoringCertAlgs (3.20s)
panic: tls: HKDF-Expand-Label invocation failed unexpectedly [recovered]
        panic: tls: HKDF-Expand-Label invocation failed unexpectedly

goroutine 185 [running]:
testing.tRunner.func1.2({0x6e3e40, 0x7e8e80})
        /build/golang-fips/go/src/testing/testing.go:1631 +0x1c4
testing.tRunner.func1()
        /build/golang-fips/go/src/testing/testing.go:1634 +0x33c
panic({0x6e3e40?, 0x7e8e80?})
        /build/golang-fips/go/src/runtime/panic.go:770 +0x124
crypto/tls.(*cipherSuiteTLS13).expandLabel(0x9d4ce0, {0x40003b4ce0, 0x20, 0x20}, {0x749d9b?, 0x7?}, {0x40003b4d00, 0x20, 0x20}, 0x20)
        /build/golang-fips/go/src/crypto/tls/key_schedule.go:66 +0x408
crypto/tls.(*cipherSuiteTLS13).deriveSecret(0x9d4ce0, {0x40003b4ce0, 0x20, 0x20}, {0x749d9b, 0x7}, {0x0?, 0x0?})
        /build/golang-fips/go/src/crypto/tls/key_schedule.go:86 +0xc4
crypto/tls.(*serverHandshakeStateTLS13).sendServerParameters(0x40005277d8)
        /build/golang-fips/go/src/crypto/tls/handshake_server_tls13.go:615 +0x170
crypto/tls.(*serverHandshakeStateTLS13).handshake(0x40005277d8)
        /build/golang-fips/go/src/crypto/tls/handshake_server_tls13.go:59 +0x58
crypto/tls.(*Conn).serverHandshake(0x4000104708, {0x7ec858, 0x40000a6230})
        /build/golang-fips/go/src/crypto/tls/handshake_server.go:53 +0x120
crypto/tls.(*Conn).handshakeContext(0x4000104708, {0x7ec6d0, 0xa7adc0})
        /build/golang-fips/go/src/crypto/tls/conn.go:1553 +0x338
crypto/tls.(*Conn).HandshakeContext(...)
        /build/golang-fips/go/src/crypto/tls/conn.go:1493
crypto/tls.(*Conn).Handshake(...)
        /build/golang-fips/go/src/crypto/tls/conn.go:1477
crypto/tls.boringHandshake(0x40005021a0?, 0x4000502000, 0x40005021a0)
        /build/golang-fips/go/src/crypto/tls/boring_test.go:202 +0x220
crypto/tls.TestBoringCertAlgs.func1(0x40005031e0, {0x74976b, 0x5}, 0x400022f680, {0x722d00, 0x400041c300}, {0x400022f710, 0x2, 0x2}, 0x0)
        /build/golang-fips/go/src/crypto/tls/boring_test.go:380 +0x1c4
crypto/tls.TestBoringCertAlgs(0x40005031e0)
        /build/golang-fips/go/src/crypto/tls/boring_test.go:438 +0x4f4
testing.tRunner(0x40005031e0, 0x78ada8)
        /build/golang-fips/go/src/testing/testing.go:1689 +0xec
created by testing.(*T).Run in goroutine 1
        /build/golang-fips/go/src/testing/testing.go:1742 +0x318
FAIL    crypto/tls      3.433s
FAIL

I've tested openssl 3.0.13 in the same environment and all is well. Below is the openssl providers output:

/build/golang-fips/scripts # openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.3.1
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.9
    status: active

Can you kindly provide guidance on an ETA for a fix, or if the issue should be reported elsewhere? Thank you.
@archanaravindar
Copy link
Collaborator

This may be solved by this #205 (comment)
could you please check @kilinitt

@kilinitt
Copy link
Author

Thank you @archanaravindar that works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@archanaravindar @kilinitt